from the unconstitutional dept

As we've noted many times in the past, the entertainment industry likes to take a multi-pronged approach to its quixotic efforts to "stop piracy" (which could be much better dealt with by simply giving the public more of what they want). Working on federal copyright law to continually expand it is one main strategy, but there are a lot of others as well, including pressuring private companies to voluntarily censor content, getting international trade agreements to force laws to change and... getting random state laws to force through big changes quietly. This last strategy has come into focus lately, especially with the rise of so-called "true origin" bills, that are almost certainly unconstitutional, but are rapidly popping up in a variety of states. This is actually a replay of an old strategy. I remember similar "true origin" efforts being pushed about a decade ago, and I'd thought they'd completely died out... but they're back.

The way they work is pretty simple: they outlaw anonymity on the internet if your website distributes any kind of audiovisual work. The point of this is twofold: one, for those who "register" and reveal their name and address, it makes it easier for the RIAAs and MPAAs of the world to sue a site for copyright infringement. And, for those who don't reveal their names, the RIAA and MPAA can ask the states to prosecute the site owners for failing to reveal their names.

A few weeks ago, we wrote about Florida's proposed law, which would require any website that hosts audio or video to reveal their name and address. This could have disastrous consequences for whistleblowers or anonymous critics. In the US, the Supreme Court has long recognized the importance of protecting anonymity as a part of the First Amendment, but this bill does away with that completely, just because the movie and music industries think it's necessary to stop piracy (even though it won't do that). Unfortunately, it appears that despite widespread criticism, the Florida bill is expected to move forward this week. If you happen to live in Florida, the EFF has set up a tool to help you alert your elected representatives to why such a bill is a terrible and unconstitutional idea.

But... it's not just Florida. One year ago, Tennessee enacted a similar bill, called the "True Origin of Goods Act" which is nearly identical to the Florida bill. And just last month, here in California, Assemblymember Ian Calderon (who has positioned himself as friendly to technology) introduced a similar bill. The California bill is at least somewhat more limited than the others in that it appears to focus mostly on physical copies that are offered for "sale" or "rental" -- but it at least raises questions about anonymity rights, and opens the door to future adjustments to "match" this law to internet displays of content.

The efforts here are all basically the same: quietly use state laws to undermine anonymity in an effort to help the RIAAs and MPAAs of the world try to track down the owners of websites they don't like. Whether or not you agree with that idea, the fact that to accomplish that (somewhat pointless) goal would undermine basic First Amendment concepts like anonymity and the ability to speak freely, doesn't seem to be of much concern to the supporters of these bills.

It's the same old story we've seen before with SOPA and other bills: the copyright industry doesn't seem to care in the slightest about collateral damage from its quixotic effort to stop piracy, rather than to provide the public with better offerings. And, of course, copyright is supposed to be an issue for federal law, not state law, and these efforts are ways that the copyright industry is trying to backdoor in systems to undermine free speech in yet another weak attempt to accomplish a singular and pointless goal.

from the how-secure-is-that-database? dept

As the murder of the opposition politician Boris Nemtsov last week reminds us, the political situation in Russia is not just difficult, but extremely dangerous. Presumably hoping that technology might offer a relative safe way to cope with this situation, a Russian NGO has announced that it will be launching a nationwide social network dedicated to fighting bribery and corruption. You might expect that anonymity would be a crucial aspect, given the risks faced by those who choose to join. And yet, as this RT article explains, that's not the case (via @prfnv):

the new project will have one major difference from existing social networks -- a complete lack of anonymity. Membership will only be granted by invitation from existing members, and even when this condition is met, the institute that launches the project promises to open accounts only after verifying the identity of potential members in real life.

The users will have to provide a lot of details about themselves -- from name and date of birth, to place of work, e-mail and phone numbers. The people launching the project say that this is a necessary measure to prevent attempted slander, which they see as the main danger threatening their network.

That people could use the network to spread false accusations is certainly a risk, but hardly the main danger, which is surely that those accused of corruption may decide to settle things in the same way as Nemtsov's enemies. Creating a network of anti-corruption activists and lawyers will make its membership database extremely desirable for many nefarious actors, who would doubtless find things like place of work and phone numbers useful for future attempts to "dissuade" people from coming forward with information about bribe-taking. Let's just hope the new social network's security advisers are really good.

from the baby-SOPA dept

This week, the Florida state legislature is considering a bill that would make it illegal to run any website or service anonymously, if the site fits a vague category of “disseminat[ing]” “commercial” recordings or videos—even the site owner’s own work. Outlawing anonymous speech raises a serious First Amendment problem, and laws like this one have been abused by police and the entertainment industry.

The bill (Senate and House versions) seems to be catering directly to the entertainment industry and could give local law enforcement City of London Police-esque powers to act as de facto copyright cops. And its potential stripping of anonymity not only requires disclosure to law enforcement, but everyone else on the web.

A person who owns or operates a website or online service dealing in substantial part in the electronic dissemination of commercial recordings or audiovisual works, directly or indirectly, to consumers in this state shall clearly and conspicuously disclose his or her true and correct name, physical address, and telephone number or e-mail address on his or her website or online service in a location readily accessible to a consumer using or visiting the website or online service.

Do-it-yourself doxxing! What could possibly go wrong? Handing over your personal information to complete strangers always works out so well. The bill seems only concerned with giving rights holders easier access to potential infringers (still problematic), completely ignoring the unintended consequences of forcing certain site owners to hand out their personal information proactively, rather than only by law enforcement subpoena or court order.

On top of that, there's the vagueness of the language. "Directly or indirectly" can mean a lot of things -- like links to alleged infringement elsewhere on the web. And it would potentially force any number of site owners worldwide to give up their anonymity. The bill isn't limited to sites/site owners residing in Florida. All it says is "electronic dissemination… to consumers in this state." If a website can be accessed from Florida, it conceivably falls under the jurisdiction of this proposed law.

This would give the Grady "Showboat" Judds of Florida law enforcement all the reason they need to send ad hoc anti-piracy task forces all over the US to shut down infringing sites. Even if the damage was solely confined to Florida, it would still be a bad idea.

Similar “true name and address” laws in other states have been used to justify police raids on music studios. In 2007, a Georgia police SWAT team (with RIAA employees in tow) raided the studio of DJ Drama and DJ Cannon, makers of influential “mixtapes” that record labels used to promote their artists. The police arrested the DJs and confiscated their CDs and equipment. Their justification wasn’t copyright law (which is a federal law) but a more limited version of the same law Florida is considering, one that applies only to physical goods. If Florida expands on Georgia’s law by including websites, we could see similar police raids against music blogs or other avenues of online speech. And the works on the site might even be in the public domain, as long as some “owner, assignee, authorized agent, or licensee”—perhaps a broadcaster—complains.

If there is a bright side to this proposed law, it's that it doesn't gut Section 230 protections and contains the smallest of nods towards Fair Use. But that's it. Otherwise, it's a mess -- a bill designed to expedite the pursuit of infringers at the expense of free speech and online anonymity.

They also asked the Kremlin why anyone would want to register -- and were told that registering could help attract more advertising dollars. But then, my favorite bit:

When asked how he would evaluate the effectiveness of the blogger law, Zharov said he would weigh the extent to which it succeeds in improving the “quality” of Russian blogging, by which he meant lowering the amount “profanity, unverified information, and libel.”

Yeah, sure, it's all about reducing "profanity" and not about silencing criticism, right? Oh, and if reducing profanity is the goal, this seems to be doing fuck all in helping with that:

Three of the 369 blogs on Roskomnadzor’s registry contain the word “fuck” in their names. One of these three is the Vkontakte community “Fuckbet,” a sports analysis website that provides “access to the best sports tips in the Commonwealth of Independent States” (presumably as an aid to individuals betting on the games). Another of this trio is “Fuck_Humor,” a Vkontakte group that specializes in amusing memes. One of the community’s most recent posts features a joke about fellatio, depicting what looks to be semen on a young girl’s thigh.

Last year, we had also pointed out that Russian officials were threatening to block both Twitter and Facebook for not cooperating with the government's new registry plans. The Global Voices article notes that since Twitter is not cooperating at all on this registry effort, the Russian government has been reduced -- no joke -- to begging Russian Twitter users to post screenshots of their analytics page so the government can determine if they're getting too many visitors.

When it comes to Twitter accounts, Roskomnadzor seems to have relied similarly on volunteers, as the ten Twitter users who now appear on the blogger registry are mostly pro-Kremlin media figures (plus a few Internet celebrities).

In fact, Roskomnadzor’s desperation with Twitter led it last month to solicit bloggers directly, and rather embarrassingly, for “screenshots” of their analytics data, which Twitter has refused to provide to the Russian government.

It's still unclear what Russia is going to do with those who have chosen not to sign up for the registry, but this move is still concerning for supporters of free speech and the right to express yourself anonymously.

Egocentric cameras are being worn by an increasing number of users, among them many security forces worldwide. GoPro cameras already penetrated the mass market, and Google Glass may follow soon. As head-worn cameras do not capture the face and body of the wearer, it may seem that the anonymity of the wearer can be preserved even when the video is publicly distributed. We show that motion features in egocentric video provide biometric information, and the identity of the user can be determined quite reliably from a few seconds of video.

The paper describing the work also points out some consequences of this result:

Egocentric video biometrics can prevent theft of wearable cameras by locking the camera when worn by people other than the owner. In video sharing services, this Biometric measure can help to locate automatically all videos shot by the same user. An important message in this paper is that people should be aware that sharing egocentric video will compromise their anonymity.

On the plus side, this also means that videos from police body-cameras can also be tied to particular officers, which may help to make such evidence less vulnerable to tampering.

from the 'for-the-children,-although,-technically,-children-aren't-old-enough-to dept

Canada's lawful access/cyberbullying bill (C-13) is still creeping through the country's legislative arteries and generally getting worse as time goes on -- as is to be expected when adding cyberbullying to a long list of presumably thwartable horrors like terrorism, child molestation and drug smuggling. What's desired by many is a generous expansion of government and law enforcement powers. And those desiring this expansion have the horrific scenarios needed to back up their requests for more access.

The Ontario Provincial Police (OPP) was part of the law enforcement panel and was asked by Senator Tom McInnis, a Conservative Senator from Nova Scotia, about what other laws are needed to address cyberbullying.

We'll pause right there to briefly address McInnis, Nova Scotia and cyberbullying. McInnis is tossing out this leading question because his home province recently passed a truly terrible anti-cyberbullying law in response to a student's death -- a law that leaves it up to accusers and judges (the accused are not invited) to decide whether any sort of action or communication rises to the extremely low bar of being "harmful" to the accuser's "emotional well-being." If said communications are deemed to be "bullying" (again, without input from the accused), police can seize computers and other electronics, along with user data from the accused's ISPs and then shut off internet access altogether.

Now that we know why McInnis would like to see cyberbullying addressed, we can return to the statement he received in response from Special Inspector Scott Naylor of the OPP, which ignores the Senator's lob pass and pursues its own agenda.

If the bag was open and I could do anything, the biggest problem that I see in the world of child sexual exploitation is anonymity on the Internet. When we get our driver’s licence we’re required to get our picture taken for identification. When you get a mortgage you have to sign and provide identification. When you sign up for the Internet, there is absolutely no requirement for any kind of non-anonymity qualifier. There are a lot of people who are hiding behind the Internet to do all kinds of crime, including cybercrime, fraud, sexual exploitation and things along those lines.

Because some people do bad things (and maybe get away with it), everyone should have to apply for a license to use the internet. Sounds very Russian (and, to be honest, even slightly American) -- something no government official in any part of the "free world" should even appear to be considering.

Naylor obviously realizes his idea will be unpopular, hence the "child sexual exploitation" lead-in. That makes his assertion binary. Either you're for an internet driver's license or you're for child molestation: which is it? This is a common law enforcement affliction -- seeing anything that makes the job slightly more difficult as a barrier to be eliminated. And, as always, technological advancements are portrayed as being solely advantageous to criminals.

The Internet is moving so quickly that law enforcement cannot keep up. If there were one thing that I would ask for discussion on is that there has to be some mechanism of accountability for you to sign on to an Internet account that makes it like a digital fingerprint that identifies it to you sitting behind the computer or something at that time. There are mechanisms to do it, but the Internet is so big and so vast at this point, and it’s worldwide, I’m not sure how that could happen, but that would certainly assist everybody. In that way I can make a digital qualification that that’s the person that I’m talking to. If I had one choice, that’s what I would ask for.

Hey, a man can dream. And then he should be asked to stop talking before he embarrasses himself further. Law enforcement agencies love busting criminals, but seem to resent everything else about the job, like performing investigations, acquiring warrants, etc. Naylor wants a nice, tidy database of internet users he can access whenever he feels he needs to. Senator McInnis, who should know better than to touch a politically-toxic idea like this, not only approved this comment for inclusion but stated that he "absolutely agreed" with Naylor's Orwellian wish.

But McInnis and Naylor have no idea what they're asking for/agreeing with, at least not in terms of the Canadian court's position on online anonymity.

Leaving aside the deeply troubling inference of requiring licences to the use the Internet in the same manner as obtaining a driver’s licence, the police desire to stop online anonymity suggests that the OPP has not read the Supreme Court of Canada Spencer decision very carefully. If it had, it would know that not only does the court endorse a reasonable expectation of privacy in subscriber information, but it emphasizes the importance of online anonymity in doing so.

Naylor and McInnis have just sacrificed their credibility for one of the shoddiest and overused of rhetorical devices: child molestation. Much like terrorism, the threat of pedophilia is summoned as often as is needed to suppress rational arguments and ensure the desired outcome is obtained. These two threats are routinely abused to route around citizens' protections and rights. Whatever powers are granted are then deployed to handle routine criminal activity, the sort of thing that fails to move legislators or create memorable soundbites. "Child sexual exploitation" has become synonymous with mission creep and rights erosion, but those in the position to make legislative changes are rarely interested in appearing to be "soft" on sex offenders, and pitch in happily to cart away citizens' rights and pave the way for frictionless law enforcement and mission creep.

from the freedom?-what-freedom? dept

Ahmed Ghappour, over at JustSecurity, alerts us to a rather frightening proposal from the Justice Department that would enable law enforcement to hack into the computers of people who are trying to be anonymous online. At issue is that current rules basically would extend the powers granted for terrorism investigations to everyday criminal investigations, concerning specifically the DOJ/FBI's ability to hack into computers. In the past, judges could issue warrants for such computer hacking if the target was known to be located in the same district. But the proposed change would wipe out that limitation, and basically give the DOJ/FBI the power to get approval for hacking into a much broader range of computers. Without the geographical limitation, there's concern about just how broadly this new power would be (ab)used:

The DOJ proposal will result in significant departures from the FBI’s customary practice abroad: overseas cyber operations will be unilateral and invasive; they will not be limited to matters of national security; nor will they be executed with the consent of the host country, or any meaningful coordination with the Department of State or other relevant agency.

Under the DOJ’s proposal, unilateral state action will be the rule, not the exception, in the event an anonymous target “prove[s] to be outside the United States.” The reason is simple: without knowing the target location before the fact, there is no way to provide notice (or obtain consent from) a host country until after its sovereignty has been encroached.

Without advanced knowledge of the host country, law enforcement will not be able to adequately avail itself to protocols currently in place to facilitate foreign relations. For example, the FBI will not be able to coordinate with the Department of State before launching a Network Investigative Technique. This puts the U.S. in a position where a law enforcement entity encroaches on the territorial sovereignty of foreign states without coordination with the agency in charge of its foreign relations.

In short, every new criminal investigation by the FBI will open up the possibility of a diplomatic nightmare and embarrassment. But, really, who cares when there are criminals to go after, right?

When a state’s sovereignty is encroached upon, its response depends on the nature and intensity of the encroachment. In the context of cyberspace, states (including the United States) have asserted sovereignty over their cyber infrastructure, despite the fact that cyberspace as a whole, much like the high seas or outer space, is considered a “global common” under international law.

[....] Given the public nature of the U.S. criminal justice system, it is hard to see how the FBI will avoid risk of prosecution (similar to that in the Chelyabinsk incident) if the DOJ proposal is approved.

And, of course, there are other issues with the proposal as well -- as you'd expect any time you see law enforcement seek to move anti-terrorism tools over to standard crime-fighting. For example, the current proposal could authorize questionable hacking techniques by the FBI. Ghappour suggests that if the DOJ really wishes to push forward with such a proposal, it needs to clearly limit the techniques that are allowed:

The Rule should not authorize drive-by-downloads that infect every computer that associates with a particular webpage, the use of weaponized software exploits in order to establish “remote access” of a target computer, or deployment methods that risk indiscriminately infecting computer systems along the way to the target. Nor should the Rule authorize a “search” method that requires taking control of peripheral devices (such as a camera or microphone).

There are other suggestions, of course. As it stands, the proposed amendment allows the FBI to use a wide array of invasive (and potentially destructive) hacking techniques where it may not be necessary to do so, against a broad pool of potential targets that could be located virtually anywhere.

Of course, why would the DOJ ever limit itself when it has the chance to get access to an even more powerful tool for hacking into anyone's computers?

From one week of logs, we were able to attach a timestamp to 15,000 records. Each time Ton's phone made a connection with a communications tower and each time he sent an e-mail or visited a website, we could see when this occurred and where he was at that moment, down to a few metres. We were able to infer a social network based on his phone and e-mail traffic. Using his browser data, we were able to see the sites he visited and the searches he made. And we could see the subject, sender and recipient of every one of his e-mails.

That's very similar to the sort of thing governments around the world are now routinely demanding. Here's what the researchers were able to find out about various aspects of his life as a result. The basics:

Ton is a recent graduate in his early twenties. He receives e-mails about student housing and part-time jobs, which can be concluded from the subject lines and the senders. He works long hours, in part because of his lengthy train commute. He often doesn’t get home until eight o'clock in the evening. Once home, he continues to work until late.

His work:

Based on the data, it is quite clear that Ton works as a lawyer for the digital rights organisation Bits of Freedom. He deals mainly with international trade agreements, and maintains contact with the Ministry of Foreign Affairs and a few Members of Parliament about this issue. He follows the decision-making of the European Union closely. He is also interested in the methods of investigation employed by police and intelligence agencies. This also explains his interest in news reports about hacking and rounded-up child pornography rings.

His social networks:

From a social network analysis based on Ton's e-mail traffic, it is possible for us to discern different groups to which he belongs. These clusters are formed by his three e-mail accounts. It may be the case that the groups would look a bit different if we were also to use the metadata from his phone. However, we agreed to not perform any additional investigation, such as actively attempting to discover the identity of the user of a particular number, so as to protect the privacy of those in Ton’s network.

There is much more of this in the post, and it's well-worth reading the whole thing to see just how much the researchers were able to find out. But it gets even more interesting -- and troubling -- when they move beyond this passive analysis of metadata to using this information to break into accounts:

The analysts from the Belgian iMinds compared Ton's data with a file containing leaked passwords. In early November, Adobe (the company behind the Acrobat PDF reader, Photoshop and Flash Player) announced that a file containing 150 million user names and passwords had been hacked. While the passwords were encrypted, the password hints were not. The analysts could see that some users had the same password as Ton, and their password hints were known to be 'punk metal', 'astrolux' and 'another day in paradise'. ‘This quickly led us to Ton Siedsma's favourite band, Strung Out, and the password "strungout",' the analysts write.

With this password, they were able to access Ton's Twitter, Google and Amazon accounts. The analysts provided a screenshot of the direct messages on Twitter which are normally protected, meaning that they could see with whom Ton communicated in confidence. They also showed a few settings of his Google account. And they could order items using Ton's Amazon account -- something which they didn't actually do. The analysts simply wanted to show how easy it is to access highly sensitive data with just a little information.

That gives a hint of the havoc that government agencies with access to your metadata could wreak on your life -- not only reading the contents of your emails, but also possibly accessing ecommerce or even bank accounts. We should be grateful to Siedsma for having the courage to hand over this intimate data, and for reminding us yet again why it is wrong to call it "just" metadata.

from the making-the-NSA-cry dept

Before Snowden, Tor was an important but rather obscure tool, mostly of interest to those living under oppressive regimes who wanted to access the Internet freely without risking imprisonment or worse. Post-Snowden, things are more complicated. On the one hand, it is clearly one of the key tools that we can all use to thwart attempts by intelligence agencies to monitor what we are doing online. On the other hand, for that very reason, Tor has been the subject of serious attempts by the NSA, GCHQ and the Russian Ministry of Internal Affairs to compromise it so that they can gain information about its users. The fact that, as far as the NSA and GCHQ are concerned,Tor -- "The Onion Router" -- "stinks", as one of the slides leaked by Snowden puts it, is an excellent reason for people to support its recent "call to arms":

We used to think there are two main ways that the Tor network can fail. First, legal or policy pressure can make it so nobody is willing to run a relay. Second, pressure on or from Internet Service Providers can reduce the number of places willing to host exit relays, which in turn squeezes down the anonymity that the network can provide. Both of these threats are hard to solve, but they are challenges that we've known about for a decade, and due in large part to strong ongoing collaborations we have a pretty good handle on them.

But lately, the people behind Tor have realized there is a new problem they must deal with:

We missed a third threat to Tor's success: a growing number of websites treat users from anonymity services differently. Slashdot doesn't let you post comments over Tor, Wikipedia won't let you edit over Tor, and Google sometimes gives you a captcha when you try to search (depending on what other activity they've seen from that exit relay lately). Some sites like Yelp go further and refuse to even serve pages to Tor users.

The rest of the post explores possible solutions to this growing rejection of Tor, such as technical mechanisms that allow anonymous users to interact with websites, and social mechanisms -- using a community to help police problems with anonymous users. But as the post notes, these haven't worked too well in past. It therefore suggests a third approach:

The solution I envision is to get a person who is both technical and good at activism to focus on this topic. Step one is to enumerate the set of websites and other Internet services that handle Tor connections differently from normal connections, and look for patterns that help us identify the common (centralized) services that impact many sites. At the same time, we should make a list of solutions -- technical and social -- that are in use today. There are a few community-led starts on the Tor wiki already, like the DontBlockMe page and a List of Services Blocking Tor.

Step two is to sort the problem websites based on how amenable they would be to our help. Armed with the toolkit of options we found in step one, we should go to the first (most promising) site on the list and work with them to understand their problem. Ideally we can adapt one of the ideas from the toolkit; otherwise we'll need to invent and develop a new approach tailored to their situation and needs. Then we should go to the second site on the list with our (now bigger) toolkit, and so on down the list. Once we have some success stories, we can consider how to scale better, such as holding a conference where we invite the five best success cases plus the next five unsolved sites on our list.

It's good to see such a key project both identifying problems and coming up with possible ways to tackle them. The post contains further details of future plans, the people and organizations involved -- and even an offer of funding for those who want to help ensure that The Onion Router's stink continues to make the people at the NSA and GCHQ cry.

from the wait,-what? dept

Kaspersky Lab, the internet security/anti-virus company published a somewhat bizarre article a little while ago, entitled "Why we should not be afraid of being watched while online." The text is no longer there, because it's been replaced by:

The content of this article was actually a draft of the column by an independent author. It was published accidentally, and Kaspersky Lab do apologize for misunderstanding.

Author’s views do not reflect the official position of Kaspersky Lab on the subject of privacy

At least at the time I'm writing this, you can still see the full text via Google's cache, though that may go away soon. The really ridiculous part is actually the final paragraph. The main part of the article lists out five areas where there are benefits to sharing your info (more on that in a second) and then it comes to this ridiculous conclusion:

Apart from these five reasons, there are many more why you shouldn’t be paranoid and try to conceal your location while online. Remember if you’re doing nothing wrong, you have nothing to hide. There is almost to zero chance that you would be of interest to any secret service on the planet. The only nuisance to you will be advertisement robots – and there are more effective tools against them than online anonymity.

The whole "doing nothing wrong, got nothing to hide" argument is so stupid and so widely debunked that anyone uttering that phrase automatically loses pretty much all credibility. Similarly, the "there's almost no chance that you would be of interest" to any intelligence service is similarly stupid. First of all, that's only true until it's not true, and then it's a bit too late. And even if 99% of people aren't of interest, shouldn't we be concerned about the 1% of people whose rights and privacy are abused? As the supposed quote from Cardinal Richelieu goes: "give me six lines written by the hand of the most honest of men, I will find something in them which will hang him." There's always a way to twist purely innocent things into looking nefarious if you want to. We should all be concerned about the power to abuse someone's privacy.

Eugene Kaspersky has distanced himself from the article, stating that "privacy is a precious thing that people should protect no matter what. Sometimes the columnists don't reflect our opinion." Still, the fact that it was published (even if accidentally) on the Kaspersky website is bizarre.

As for the main part of the article, it's actually not that crazy, but whoever wrote it gets the exact wrong lesson out of his or her own writing. The article highlights five areas where it is, in fact, potentially useful to share some information -- such as doing local searches or being able to track your route. And, indeed, these are useful cases in which people very frequently find the value of sharing some information (such as location) with a third party service, in exchange for some benefit.

But the key issue here, which is totally ignored by that final paragraph, is that these decisions -- including the benefits and costs -- should be transparent, clear and optional. When an individual makes the decision to share information in such a manner, it should be their decision, well aware of what they're sharing, why and what benefits there are with it. The concern that most people have is how these things are done in a sneaky fashion, with no transparency, and often for little or no benefit. To put a blanket "eh, don't worry about it" because of some usefulness in some cases and then ignoring the abuses by saying "eh, probably won't happen to you because no one's that interested in you" is ignorant in the extreme.

Either way, it seems flat out ridiculous that an internet security company would publish an article. I could see it as a silly Slate pitch or something, but on a security company's website? As Aral Balkan joked, next on Kaspersky's website, perhaps we'll see an article on "viruses aren't that bad... why can't we all just get along?"